BugTraq
Permitting recursion can allow spammers to steal name server resources Sep 10 2003 02:52AM
Chris Brenton (cbrenton chrisbrenton org) (4 replies)
Re: Permitting recursion can allow spammers to steal name server resources Sep 14 2003 03:15AM
Devin Nate (devin nate bridgecomm net)
Re: Permitting recursion can allow spammers to steal name server resources Sep 10 2003 07:29PM
Dan Harkless (bugtraq harkless org) (1 replies)
Re: Permitting recursion can allow spammers to steal name server resources Sep 10 2003 10:00PM
Mike Hoskins (mike adept org)
On Wed, 10 Sep 2003, Dan Harkless wrote:
> On September 9, 2003, Chris Brenton <cbrenton (at) chrisbrenton (dot) org [email concealed]> wrote:
> [...]
> > "DNS Cache Poisoning - The Next Generation" by by Joe Stewart, GCIH
> > http://www.securityfocus.com/guest/17905
> [...]
> > _Fixing the problem with Bind_
<snip>
> > allow-recursion {172.16.1.1, 10.0.0.0/8, 192.168.1.0/24;};
> As has been pointed out before, this still leaves you potentially open to
> cache poisoning if the attacker can spoof those addresses (and again, the
> attacker will need to be spoofing anyway, if attacking BIND 9).

luckily more providers have began properly filtering at ingress. granted,
spoofing is still quite possible from a large percentage of IPv4 space.

> The safest setup is to run authoritative nameservers on separate machines
> (or at least IPs) from caching recursive servers, as discussed, e.g. here:

FWIW, i think this can be derived from Joe's article as well. also,
anyone configuring BIND should see Rob Thomas' _Secure BIND Template_,

http://www.cymru.com/Documents/secure-bind-template.html

everything discussed here relating to BIND configuration (and more) is
covered there.

i'd also like to point out that the title of this thread is a bit
misleading, or at least not 100% accurate wrt the suggestions being given.
yes, we can arrive at a relatively secure DNS implementation using BIND or
other alternatives... however, even with a secure implementation, h4x0rz
can 'steal name server resources'; if you have a resolver (recursive or
not) attached to the public Internet, it can be bombarded with queries.
that, like many forms of 'legitimate use', is 'steal[ing] ... resources'
and can't be easily avoided (only mitigated). ;) it's also one of the
more frequent things i see reported on mailing lists these days...
particularly thanks to M$.

-mrh

--
From: "Spam Catcher" <spam-catcher (at) adept (dot) org [email concealed]>
To: spam-catcher (at) adept (dot) org [email concealed]
Do NOT send email to the address listed above or
you will be added to a blacklist!

[ reply ]
Re: Permitting recursion can allow spammers to steal name server resources Sep 10 2003 07:14PM
Greg A. Woods (woods weird com)
Re: Permitting recursion can allow spammers to steal name server resources Sep 10 2003 06:21PM
Mark Johnston (mjohnston skyweb ca)


 

Privacy Statement
Copyright 2010, SecurityFocus